Researchers still don’t know the cause of a recently discovered malware infection that affects about 1.3 million streaming devices running open-source versions of Android in about 200 countries.
Security firm Doctor Web said Thursday that a malware called Android.Vo1d installed a backdoor into Android-based boxes, placing malicious components in the system storage area and allowing them to be updated with additional malware at any time by a command-and-control server. I reported. Google representatives said the infected devices run an operating system based on the Android open source project. This version is overseen by Google, but is different from Android TV, which is a proprietary version limited to authorized device manufacturers.
Dozens of variations
Although Doctor Web is well aware of Vo1d and the extraordinary reach it achieved, the company’s researchers say they have not yet identified the attack vector that caused the infection.
“At this time, the cause of the TV box backdoor infection remains unknown,” Thursday’s post said. “One possible infection vector could be an attack by intermediary malware that exploits operating system vulnerabilities to gain root privileges. Another possible vector is You may be using an unofficial firmware version.
The device models infected with Vo1d are:
| tv box model | Declared firmware version |
|---|---|
| R4 | Android 7.1.2; R4 build/NHG47K |
| TV box | Android 12.1; TV box build/NHG47K |
| KJ-SMART4KVIP | Android 10.1; KJ-SMART4KVIP build/NHG47K |
One possible cause of infection is that the device is running an older version that is vulnerable to exploits that remotely execute malicious code on the device. For example, versions 7.1, 10.1, and 12.1 were released in 2016, 2019, and 2022, respectively. Additionally, Doctor Web notes that it is not uncommon for manufacturers of low-cost devices to install older OS versions on streaming boxes and disguise them as more recent models to make them appear more appealing. Ta.
Additionally, while only licensed device manufacturers can modify Google’s AndroidTV, any device manufacturer is free to make changes to the open source version. This leaves open the possibility that the device could have been infected in the supply chain and already compromised by the time the end user purchased it.
“These third-party devices found to be infected were not Play Protect-certified Android devices,” Google said in a statement. “If a device is not Play Protect certified, Google has no record of security and compatibility test results. Play Protect certified Android devices undergo extensive testing to ensure quality and user safety. ”
